[Icecast] SSL Setup

José Luis Artuch artuch at speedy.com.ar
Fri Jul 21 16:41:30 UTC 2017


Hello !

El lun, 10-07-2017 a las 09:31 +0000, Philipp Schafft escribió:
> Good morning,
> 
> 
> On Mon, 2017-07-10 at 01:25 +0000, ScanCaster wrote:
> > IceCast is one of the last services I have that doesn't connect
> > securely, 
> > and I am looking to close that hole....
> > [...]
> > OK... add a port for SSL for IceCast in icecast.xml...path for cert
> > file 
> > in same.... no biggie
> 
> The <ssl-certificate> belongs in the <paths> section of the config
> file.
> (I'm not sure what you mean with 'in same', just wanted to make it
> clear.)
> 
> 
> > The key/cert needs to be in a dir and file with applicable
> > permissions 
> > for the IceCast user... no biggie..
> > 
> > chown icecastusergroup:icecastusergroup  certfile
> 
> 
> > What I am looking to confirm is that the cert file needs to
> > contain:
> > 
> > -----BEGIN RSA PRIVATE KEY-----
> > MII
> > -----END RSA PRIVATE KEY-----
> > 
> > -----BEGIN CERTIFICATE-----
> > MI
> > -----END CERTIFICATE----- 
> > 
> > Where the Cert is the file/text Comodo sends me, and the key is the
> > one 
> > openssl spit out earlier, 
> > 
> > Combine them up in certfile, Correct? Special order?? KEY then
> > Cert, or v-
> > v? Line separating them?
> 
> The format is the OpenSSL format: key, blank line, cert (chain).
> echo | cat key.pem - cert.pem > combo.pem
> 
> 
> > kill -HUP pidOfIcecast
> 
> As of Icecast2 2.4.x you need to restart Icecast to reload the cert.
> There is however a fix in 2.5.x (development) which is hopefully
> released with the next development update.
> 
> 
> > And good????
> > 
> > One thing can the web server spit out just a text file that is used
> > by 
> > Comodo to verify ownership of the domain? The DNS method normally 
> > fails....
> 
> Sure. Just put it into the webroot (<webroot> in <paths>). Icecast
> handles files in webroot according to your operating system's mine-
> type
> table.
> 
On Debian 9, in the configuration file it says:

<webroot>/usr/share/icecast2/web</webroot>
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>

What should be the correct path of the icecast.pem file ?.
Should it be /usr/share/icecast2/web/icecast.pem ?.

Thanks.
> 
> > ie: http://icecast.domain.invalid/somestringofletersnumbers.txt
> > That they 
> > request if its dumped in the webroot stuff of Icecast? With out any
> > XSLT 
> > markup?
> 
> Icecast only processes XSLT files as XSLT.
> 
> 
> > So if I added a listening port on 80 for this, then took it away, 
> > since I don't use that for Icecast... Icecast is on its own server
> > which 
> > does not have Apache... web stuff for other things is on its own
> > box. I 
> > never have used the Icecast to server up anything other than the
> > default 
> > admin etc. stuff it does by default...
> 
> To avoid the need to run Icecast as privileged user in oder to bind
> to
> low ports (if Comodo really insists in using port 80) you can use
> your
> firewall to do a local redirect.
> 
> 
> Hope this is of help to you,
> 
> with best regards,
> 
> 
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast


More information about the Icecast mailing list